87% of Open-Source Vulns Are XSS and SQL Injection

Cross-site scripting vulnerabilities still top the open-source vulnerability heap, new research has revealed.

Cross-site scripting, also known as XSS, allows the attacker to inject malicious client-side scripts into a website, which are later executed by the victims while browsing the website. There are different cross-site scripting variants, all of which can be used to craft different types of attacks.

Based on the scanning of almost 400 open source web applications by the Netsparker security scanning engine, XSS accounts for 67% of all the identified vulnerabilities. SQL injection vulnerabilities were a distant second, amounting to 20% of the total. The remaining 13% were made up of remote and local file inclusions, CSRF, remote command execution, command injection, open redirection, HTTP header injection (web server software issue) and frame injection.

“Cross-site scripting and SQL injection vulnerabilities have been included in the OWASP Top 10 since the project started, mainly because they are very easy to find and also very easy to exploit,” the researchers noted. “And yet, even after years of raising awareness about these vulnerabilities, the majority of the web applications we use are vulnerable to these types of vulnerabilities.”

The report added that while, when dealing with databases, parameterized queries make it very easy to make all the common create, read, update and delete (CRUD) operations safe against SQL injection attacks, XSS is a different animal—and it will continue to take the lion’s share of the vulns.

“Today’s complex web applications are not making the developers’ job any easier,” the report noted. “Developers have to understand all the different contexts of the XSS attacks to write code that is not susceptible to XSS vulnerabilities. Unless they do understand it and write or use a library that can protect the application against XSS attacks in all output contexts (HTML, attribute, JavaScript, client-side template etc.), we will keep on seeing the same trend; expect less SQL Injection and more cross-site scripting vulnerabilities in web applications.”

Netsparker argues that, contrary to popular belief, XSS vulnerabilities can be as dangerous as SQL injection. Conventional wisdom says that because the victim is the visitor of the website rather than the actual web application, the web server or the data stored in the database, the damage is contained. In other words, the hacker would only gain access to the specific user’s profile, private messages and forum posts, rather than tamper with the web application itself to steal whole swathes of sensitive data, such as customer details and credit card numbers.

But what if the victim of the XSS attack is the forums administrator? An attacker can then work his or her way up to gain root access to main shell servers.